oss-sec mailing list archives
Go 1.22.2 and 1.21.9 (CVE-2023-45288 HTTP/2 CONTINUATION issue)
From: Jan Schaumann <jschauma () netmeister org>
Date: Fri, 5 Apr 2024 14:11:49 -0400
[ Forwarding another announcement I didn't see on this list relating to VU#421644 ] https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M | We have just released Go versions 1.22.2 and 1.21.9, | minor point releases. | | These minor releases include 1 security fixes | following the security policy: | | http2: close connections when receiving too many | headers | | Maintaining HPACK state requires that we parse and | process all HEADERS and CONTINUATION frames on a | connection. When a request's headers exceed | MaxHeaderBytes, we don't allocate memory to store the | excess headers but we do parse them. This permits an | attacker to cause an HTTP/2 endpoint to read arbitrary | amounts of header data, all associated with a request | which is going to be rejected. These headers can | include Huffman-encoded data which is significantly | more expensive for the receiver to decode than for an | attacker to send. | | Set a limit on the amount of excess header frames we | will process before closing a connection. | | Thanks to Bartek Nowotarski (https://nowotarski.info/) | for reporting this issue. | | This is CVE-2023-45288 and Go issue | https://go.dev/issue/65051. | | View the release notes for more information: | https://go.dev/doc/devel/release#go1.22.2 | | You can download binary and source distributions from | the Go website: | https://go.dev/dl/ | | To compile from source using a Git clone, update to | the release with | git checkout go1.22.2 and build as usual. | | Thanks to everyone who contributed to the releases.
Current thread:
- CERT/CC VU#421644: HTTP/2 CONTINUATION frames can be utilized for DoS attacks Alan Coopersmith (Apr 03)
- Envoy security releases [1.29.3, 1.28.2, 1.27.4, 1.26.8] are now available Jan Schaumann (Apr 05)
- Go 1.22.2 and 1.21.9 (CVE-2023-45288 HTTP/2 CONTINUATION issue) Jan Schaumann (Apr 05)